Skip to content

Commit

Permalink
Added Controller::enableCsrfValidation to support turning on/off CSRF…
Browse files Browse the repository at this point in the history
… validation for particular actions.
  • Loading branch information
qiangxue committed Sep 19, 2013
1 parent 0fc423c commit f9b9575
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 2 deletions.
2 changes: 2 additions & 0 deletions framework/yii/base/Controller.php
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,7 @@ public function createAction($id)
/**
* This method is invoked right before an action is to be executed (after all possible filters.)
* You may override this method to do last-minute preparation for the action.
* If you override this method, please make sure you call the parent implementation first.
* @param Action $action the action to be executed.
* @return boolean whether the action should continue to be executed.
*/
Expand All @@ -223,6 +224,7 @@ public function beforeAction($action)
/**
* This method is invoked right after an action is executed.
* You may override this method to do some postprocessing for the action.
* If you override this method, please make sure you call the parent implementation first.
* @param Action $action the action just executed.
* @param mixed $result the action return result.
*/
Expand Down
18 changes: 18 additions & 0 deletions framework/yii/web/Controller.php
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,12 @@
*/
class Controller extends \yii\base\Controller
{
/**
* @var boolean whether to enable CSRF validation for the actions in this controller.
* CSRF validation is enabled only when both this property and [[Request::enableCsrfValidation]] are true.
*/
public $enableCsrfValidation = true;

/**
* Binds the parameters to the action.
* This method is invoked by [[Action]] when it begins to run with the given parameters.
Expand Down Expand Up @@ -61,6 +67,18 @@ public function bindActionParams($action, $params)
return $args;
}

/**
* @inheritdoc
*/
public function beforeAction($action)
{
if (parent::beforeAction($action)) {
return !$this->enableCsrfValidation || Yii::$app->getRequest()->validateCsrfToken();
} else {
return false;
}
}

/**
* Creates a URL using the given route and parameters.
*
Expand Down
4 changes: 2 additions & 2 deletions framework/yii/web/Request.php
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ class Request extends \yii\base\Request
* In JavaScript, you may get the values of [[csrfVar]] and [[csrfToken]] via `yii.getCsrfVar()` and
* `yii.getCsrfToken()`, respectively. The [[\yii\web\YiiAsset]] asset must be registered.
*
* @see Controller::enableCsrfValidation
* @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
*/
public $enableCsrfValidation = false;
Expand Down Expand Up @@ -122,8 +123,6 @@ class Request extends \yii\base\Request
*/
public function resolve()
{
$this->validateCsrfToken();

$result = Yii::$app->getUrlManager()->parseRequest($this);
if ($result !== false) {
list ($route, $params) = $result;
Expand Down Expand Up @@ -1023,6 +1022,7 @@ protected function createCsrfCookie()
* Performs the CSRF validation.
* The method will compare the CSRF token obtained from a cookie and from a POST field.
* If they are different, a CSRF attack is detected and a 400 HTTP exception will be raised.
* This method is called in [[Controller::beforeAction()]].
* @throws HttpException if the validation fails
*/
public function validateCsrfToken()
Expand Down

0 comments on commit f9b9575

Please sign in to comment.